Reply
Member
Posts: 2
Registered: ‎10-04-2020

HostedPayment token security issue

[ Edited ]

I am implementing HostedPayment using an embedded frame. while integrating I have noticed that the generated token is available on the parent page which can be easily manipulated with a different token. As the form and iframe are on the same page so anyone can manipulate the HTML through the inspect the element and inject another token instead of a real one with a different merchant id and all the payment will move to that merchant account. below is the form which your document says to implement. could you please look into it?

 

 

<div id="iframeHolder" class="center-block" style="width:90%;max-width: 1000px">
<iframe id="loadPayment" class="embed-responsive-item" name="loadPayment" width="100%" height="650px" frameborder="0" scrolling="no" hidden="true">
</iframe>

<form id="sendhptoken" name="sendhptoken" action="https://test.authorize.net/payment/payment" method="post" target="loadPayment">
<input type="text" name="token" value="{{token}}" />
</form>
</div>